Regulators voice concerns over cloud risk
Risk USA: failure of big cloud service provider could cause “a very large shock”, says NY Fed exec
Concerns are growing among regulators that an outage or failure at a tech giant that provides outsourced cloud services to a large number of institutions could cascade through the financial system, according to a senior executive from the Federal Reserve Bank of New York.
Regulators acknowledge there is a trade-off between relying on a handful of vendors to provide services that improve institutions’ resilience to shocks on an individual basis – for instance, by enabling workers to ‘remote in’ to systems from home while they are unable to come into the office during the Covid-19 pandemic – versus the risk that an attack on such a firm that could cause outsized disruption to the entire system.
“The vulnerabilities in a third-party provider might plague multiple institutions at once, and that can lead to a very large shock that wouldn’t be possible if we had a more diverse ecosystem of controls and practices,” said Michael Lee, a New York Fed financial economist, during a panel discussion at Risk USA on November 17, where he was speaking in a personal capacity.
The issue of concentration risk has attracted the attention of the Financial Stability Board, which earlier this month issued a discussion paper on outsourcing and third-party relationships. The paper is based on a survey of national supervisors that says systemic risk arising from concentration of services to financial institutions is likely to increase.
While the benefits and cost savings of moving critical operations to the cloud are compelling, operational risk executives have long feared an overreliance on the big three service providers – Amazon, Google and Microsoft – could place financial institutions and their customers at risk.
Concentration risk is part of a broader set of outsourcing risks that have arisen since the start of the pandemic, which has caused institutions to reassess the resilience of their third-party suppliers, scrutinising everything from their financial well-being to their ability to switch to other providers, should their primary ones fail.
“You have an ecosystem of third parties we all tend to use, and that leads to concentration risk. Almost all of us have a significant reliance on one of the top three large service providers: Amazon, Google and Microsoft. That’s where we start seeing concentration risk,” said Mandar Rege, managing director of operational risk management, technology and cyber security at Citi, during the same panel discussion.
Regulators have noted that as larger numbers of financial institutions migrate to the cloud, a small number of service providers could represent a single point of failure and therefore pose systemic risks.
The Bank of England, in a 2019 report, suggested that cloud providers should be regulated. It called on the Prudential Regulation Authority “to engage with service providers directly to ensure they meet supervisory expectations”, and assess third-party risk management at the individual firm level, such as service level agreements and fallback arrangements.
“Most banks use AWS [Amazon Web Services], and some are very reliant. This creates a huge concentration risk for regulators. I would not be surprised to see a systemic label applied to a select number of vendors like Amazon,” says Evan Sekeris, head of model validation at PNC Financial Services Group, and a former Fed regulator.
Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.
To access these options, along with all other subscription benefits, please contact info@risk.net or view our subscription options here: http://subscriptions.risk.net/subscribe
You are currently unable to print this content. Please contact info@risk.net to find out more.
You are currently unable to copy this content. Please contact info@risk.net to find out more.
Copyright Infopro Digital Limited. All rights reserved.
As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (point 2.4), printing is limited to a single copy.
If you would like to purchase additional rights please email info@risk.net
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (clause 2.4), an Authorised User may only make one copy of the materials for their own personal use. You must also comply with the restrictions in clause 2.5.
If you would like to purchase additional rights please email info@risk.net
More on Risk management
To liquidity and beyond: new funding strategies for UK pensions and insurance
Prompted by policy shifts and macro events, pension funds and insurance firms are seeking alternative solutions around funding and liquidity
More cleared repo sponsors join Eurex ahead of cross-margining
End of TLTROs for banks and pension fund search for liquidity management tools drives uptake
Reimagining model risk management: new tools and approaches for a new era
A collaborative report by Chartis and Evalueserve on how the use of automation can combat the growing complexity of managing model risk due to regulation and market volatility
What Goldman’s appeal victory means for Fed stress tests
Decision could embolden more banks to appeal, analysts say. But others believe result is one-off
Clearing members rattled as CME approved to launch its own FCM
National Futures Association registration sharpens concerns about conflict of interest with CCP
CME files application for US Treasury and repo clearing
New entrant believes direct user access model will avoid accounting problem that hampers rival FICC
UST repo clearing: considerations for ‘done-away’ implementation
Citi’s Mariam Rafi sets out the drivers for sponsored and agent clearing of Treasury repo and reverse repo
Gensler to stick to Treasury clearing timetable
SEC chief promises to keep up the pressure for done-away trades